-
Notifications
You must be signed in to change notification settings - Fork 710
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix failing file_permissions_crontab #12807
Conversation
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed'.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -224,5 +224,14 @@
[reference]:
SRG-OS-000480-GPOS-00227
+[reference]:
+2.2.6
+
+[reference]:
+2.2
+
[rationale]:
The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.
+
+[ident]:
+CCE-86178-1
OVAL for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- oval:ssg-package_cron_installed:def:1
+++ oval:ssg-package_cron_installed:def:1
@@ -1,2 +1,2 @@
criteria AND
-criterion oval:ssg-test_package_cron_installed:tst:1
+criterion oval:ssg-test_package_cronie_installed:tst:1
OCIL for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- ocil:ssg-package_cron_installed_ocil:questionnaire:1
+++ ocil:ssg-package_cron_installed_ocil:questionnaire:1
@@ -1,4 +1,4 @@
-Run the following command to determine if the cron package is installed:
-$ rpm -q cron
+Run the following command to determine if the cronie package is installed:
+$ rpm -q cronie
Is it the case that the package is installed?
bash remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,8 +1,8 @@
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
-if ! rpm -q --quiet "cron" ; then
- yum install -y "cron"
+if ! rpm -q --quiet "cronie" ; then
+ yum install -y "cronie"
fi
else
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -2,7 +2,10 @@
package_facts:
manager: auto
tags:
+ - CCE-86178-1
- NIST-800-53-CM-6(a)
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
- enable_strategy
- low_complexity
- low_disruption
@@ -10,13 +13,16 @@
- no_reboot_needed
- package_cron_installed
-- name: Ensure cron is installed
+- name: Ensure cronie is installed
package:
- name: cron
+ name: cronie
state: present
when: '"kernel" in ansible_facts.packages'
tags:
+ - CCE-86178-1
- NIST-800-53-CM-6(a)
+ - PCI-DSSv4-2.2
+ - PCI-DSSv4-2.2.6
- enable_strategy
- low_complexity
- low_disruption
blueprint remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,4 +1,4 @@
[[packages]]
-name = "cron"
+name = "cronie"
version = "*"
puppet remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,7 +1,7 @@
-include install_cron
+include install_cronie
-class install_cron {
- package { 'cron':
+class install_cronie {
+ package { 'cronie':
ensure => 'installed',
}
}
anaconda remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,2 +1,2 @@
-package --add=cron
+package --add=cronie
kickstart remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,2 +1,2 @@
-package install cron
+package install cronie
bootc remediation for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -1,2 +1,2 @@
-dnf install cron
+dnf install cronie |
/packit retest-failed |
@jan-cerny I tested locally and your fix works, thank you. Could you please rebase? Those failures on Fedora look strange, I wonder what is going on. Maybe the rebase will fix it. |
The rule `file_permissions_crontab` fails in a scan performed after deployment of a CentOS Stream 9 bootable container image hardened with the PCI-DSS profile. The HTML report shows that the mode of `/etc/crontab` is `0640` but the rule expects the mode of this file should be `0600`. The rule passed during the container image build process because the file `/etc/crontab` didn't exist. The root cause is that the `cronie` RPM package that provides `/etc/crontab` is neither present in the CS 9 base image nor it's installed as a dependency of the PCI-DSS profile. We will fix this problem by including the rule `package_cron_installed` to the profile which will install the `cronie` package before `oscap` and then it will change the `/etc/crontab` mode during remediation.
I have rebased this PR on the latest upstream master branch which already contains the workaround for the pcre2.py installation issue. |
Code Climate has analyzed commit 64f43d3 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 61.8% (0.0% change). View more on Code Climate. |
/packit retest-failed |
1 similar comment
/packit retest-failed |
/packit build |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I tried to reproduce the failing test in the SLE container and I did not manage to do that. It is probably some problem with the container.
0b825f3
into
ComplianceAsCode:master
The rule
file_permissions_crontab
fails in a scan performed after deployment of a CentOS Stream 9 bootable container image hardened with the PCI-DSS profile. The HTML report shows that the mode of/etc/crontab
is0640
but the rule expects the mode of this file should be0600
. The rule passed during the container image build process because the file/etc/crontab
didn't exist. The root cause is that thecronie
RPM package that provides/etc/crontab
is neither present in the CS 9 base image nor it's installed as a dependency of the PCI-DSS profile. We will fix this problem by including the rulepackage_cron_installed
to the profile which will install thecronie
package beforeoscap
and then it will change the/etc/crontab
mode during remediation.